State-backed threat group attacked Microsoft accounts

Canalys Forum EuropeSoftware King of the World Microsoft says a state-backed threat group covertly accessed email accounts at around 25 organisations worldwide, including US and Western European government agencies.

The company attributed the attacks to Storm-0558, a threat actor based in China.

The group primarily focuses on government agencies in Western Europe, engaging in activities like espionage, data theft, and credential access.

Volish security VP Charlie Bell said that this type of espionage-motivated adversary seeks to abuse credentials and gain access to data residing in sensitive systems.

Microsoft began an investigation into unusual mail activity on the 16 June, following reports from customers.

Subsequent investigation revealed that Storm-0558 had obtained access to email data from multiple organisations. It was also able to access a “limited number” of consumer accounts linked to individuals likely affiliated with these organisations.

The unauthorised access began on 15th May. Storm-0558 used a Microsoft account (MSA) consumer signing key it had acquired to forge authentication tokens and gain entry into user email accounts.

Microsoft’s investigation showed Storm-0558 used this method to access customer email accounts through Outlook Web Access (OWA) in Exchange Online and Outlook.com.

“The actor used an acquired MSA key to forge tokens to access OWA and Outlook.com,” the company said.

Separate systems are responsible for issuing and managing MSA (consumer) keys and Azure AD (enterprise) keys, ensuring that each key is valid only for its respective system.

However, the threat actors took advantage of a token validation issue, enabling them to impersonate Azure AD users.

This exploitation allowed the group to gain unauthorised access to enterprise mail accounts.

“We have no indications that Azure AD keys or any other MSA keys were used by this actor. OWA and Outlook.com are the only services where we have observed the actor using tokens forged with the acquired MSA key,” Microsoft said.

The company claims to have taken immediate steps to address the situation by mitigating the acquired MSA key.

It has also blocked Storm-0558’s activities, ensuring the group is no longer able to continue its unauthorised actions.